* The '''Personal Address Book (PAB)''', which contains the address book of contacts. These files have the extension '''.pab'''.

+

−

* The '''Personal Storage Table (PST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension '''.pst'''. The PST format is also referred to as the '''Personal Folder File (PFF)''' format.

+

−

* The '''Offline Storage Table (OST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with [[Microsoft]] [[Exchange]]. These files have the extension '''.ost'''. The OST format is also referred to as the '''Offline Folder File (OFF)''' format.

+

−

The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the '''Personal Folder File (PFF)''' format, because of its most common usage.

+

== Features ==

+

Read or write supported EWF formats:

+

* [[SMART]] .s01 (EWF-S01)

+

* [[EnCase]] .E01 (EWF-E01) and .Ex01 (EWF2-Ex01)

−

== MIME types ==

+

Read-only supported EWF formats:

+

* Logical Evidence File (LEF) .L01 (EWF-L01) and .Lx01 (EWF2-Lx01)

−

The actual mime type of the PFF format is unspecified however some sources claim the following [[MIME types]] apply to this [[file format]]:

A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.

−

== File types ==

+

=== Examples ===

−

There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.

+

Imaging a device on a Unix-based system:

+

<pre>

+

ewfacquire /dev/sda

+

</pre>

−

== Contents ==

+

Imaging a device on a Windows system:

+

<pre>

+

ewfacquire \\.\PhysicalDrive0

+

</pre>

−

The PFF basically contains a hierarchy of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].

+

Converting a split RAW into an EWF image

+

<pre>

+

ewfacquire split.raw.???

+

</pre>

−

== Encryption ==

+

or

−

The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption.

+

<pre>

−

The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher.

+

cat split.raw.??? | ewfacquirestream

−

From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.

Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].

+

+

Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [[:File:ASR Data's Expert Witness Compression Format.pdf|Expert Witness Compression Format]] Specification by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.

+

+

In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on [[Mac OS X]] part of the functionality of these scripts has been rewritten into '''ewfmount'''.

A menu based interface for ewfacquirestream called pyEWF, contributed by Dennis Schreiber, was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by David Collett which is now included in the libewf package.

History

Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.

In 2007 David Loveall contributed mount_ewf.py to the libewf project. This application allows a fuse based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on Mac OS X part of the functionality of these scripts has been rewritten into ewfmount.